In r268924 __fflush was modified so that when write(2) was not successful,

_p and _w are adjusted to account for the partial write (if any). However, _p and _w should not be unconditionally adjusted and should only be changed when we actually wrote some bytes, or the accumulated accounting error will eventually result in a heap buffer overflow. Reported by: adrian and alfred (Norse Corporation) Security: FreeBSD-SA-14:27.stdio Security: CVE-2014-8611
2014-12-10 08:18:22 +00:00 · 2014-12-10 08:18:22 +00:00 · 6094244ca4
commit 6094244ca4
parent 8f2224905c
1 changed files with 6 additions and 4 deletions
--- a/lib/libc/stdio/fflush.c
+++ b/lib/libc/stdio/fflush.c
@ -124,11 +124,13 @@ __sflush(FILE *fp)
 		t = _swrite(fp, (char *)p, n);
 		if (t <= 0) {
 			/* Reset _p and _w. */
-			if (p > fp->_p)	/* Some was written. */
+			if (p > fp->_p) {
+				/* Some was written. */
 				memmove(fp->_p, p, n);
-			fp->_p += n;
-			if ((fp->_flags & (__SLBF | __SNBF)) == 0)
-				fp->_w -= n;
+				fp->_p += n;
+				if ((fp->_flags & (__SLBF | __SNBF)) == 0)
+					fp->_w -= n;
+			}
 			fp->_flags |= __SERR;
 			return (EOF);
 		}